5626678c16436544de0a3956b8c1395a4540ae2a990cb08aa6cd74723f7131bc

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 22:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
Size

3.6MB
MD5

14db6e54a1f612a53178176873f85620
SHA1

2952db875de4e0f0131c032d0eff86ac50a19e1c
SHA256

5626678c16436544de0a3956b8c1395a4540ae2a990cb08aa6cd74723f7131bc
SHA512

3645ffcd167afe44b239307f80cf565355a527a2b9ae15520d9238ca49e91c08d6eb217d0e09d31dde3a91099641e90efd1cbfa8383c02ec1caf5d8edb37bded
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8:sxX7QnxrloE5dpUp/bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2368	ecaopti.exe
1812	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files06\\xdobec.exe"	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDW\\boddevec.exe"	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
2684	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
2684	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
2684	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe
2368	ecaopti.exe
2368	ecaopti.exe
1812	xdobec.exe
1812	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2368	2684	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	88
PID 2684 wrote to memory of 2368	2684	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	88
PID 2684 wrote to memory of 2368	2684	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	88
PID 2684 wrote to memory of 1812	2684	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	89
PID 2684 wrote to memory of 1812	2684	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	89
PID 2684 wrote to memory of 1812	2684	14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\14db6e54a1f612a53178176873f85620_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Files06\xdobec.exe
  C:\Files06\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files06\xdobec.exe

Filesize
3.6MB

MD5
49747e5ab3da639e4dfc43f47e3d1881

SHA1
6ad46e094873d522147f09348304ddc98af344f2

SHA256
9a12d2c9c2ed08a6bd276e4ec32136dccd34e07663e84bb72e5f57b2db369d2d

SHA512
4621b4d66c62ab4a5bfe29c03fc43d7043a2db6089ee7ebd2a1321c86095e871c0e8766c6eadfd156631f90d3bfaeb9faa4466af54fcfa1ce6642ae88a862938

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
6d4db8f8137722cb7e944bd63ecca526

SHA1
9dbceebd1d119edc466ced535de9c6b3640a0f5c

SHA256
e4fbd90809cf054fe718f462fc8e0741b472bd0586e0b5f2f2158827bdd34c28

SHA512
417473f3e99c74f57dfbc775278de83c65848fad4284982ff4bf7e23d18252887c7bd0772549389ff5862cd12aecbf524182a4d6e1a7516a12cbf14eb3d0cc93

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
167B

MD5
99b195d2de3dc762989fadebf6a3b9b3

SHA1
0b6513ce04f746fcc86e30e9d18a947a52f5a66a

SHA256
0c8f87d8b58a54b19feec8ec5c698984a507ca87be4437b74701b014d48e42c3

SHA512
0fa387e38a9241ccdfeeb748a6c807a6b61378638b24e7f622a6f072cdf45f22a7fd5ed27adfda15e93ab542f38872dd061aabf114d59320389487d99ee0325c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.6MB

MD5
ccafdbf0d339c0e1f2c4ad02b14ffa7b

SHA1
4413f3901f0625fdd0702431dc84d4db209d1a86

SHA256
42466f3b52cc16d2b56001fa520ba7a2d9bf7b43702e189dc619c0ad198cd9ca

SHA512
552b52dd09f43d2ff3a9a7de03a7cb5f91be6d59dae948d58c580152225437661123820b99f44daa50f9abd88ab62b45468f6d15fea9fd8d9847558dc631bee1

Download Submit
C:\VidDW\boddevec.exe

Filesize
1.2MB

MD5
b8e65fceefb8f693bf32aafdee42cf83

SHA1
d90bf07ffce96a75dc35ef1b78829a8ce1489f6f

SHA256
ee6c55a8ba0ab295f4a100916ef090bc892a8c885128188114a4a823764f6a47

SHA512
cc6c68f2175a73fbd492cabb77f04fca5038ba1f4dd86cc409ef0ca9db4317af91457ca9117515cb852e52e0439b164eb6c6c50fc1b773a783097a7ad7c49e7f

Download Submit
C:\VidDW\boddevec.exe

Filesize
3.6MB

MD5
6841e9055f78ff28c76173072d333a77

SHA1
3f17a456381b8d7af486d02398d9e47e295dd1a0

SHA256
d41fbd1d5d7c0211a96a78a7ff674387926267515ad052b813acd2d8bc45a083

SHA512
9f94c45c4353ec57060bd593528e6e19ec1184b1b5a19cc4037c30c7b532a76d6002609fc5bbd25788588b7fad599b4c383025c5f4ec775ad58fe09f9794d31c

Download Submit